undefined | Better HN

0 pointstrinovantes3y ago0 comments

Technically nothing can be trusted e.g. can anyone trust their silicon, wires, device drivers, compilers, OS, routers, SSL CAs, etc.? Trust has to happen at some point.

The difference is that it's trivial for this developer to insert a backdoor to steal Google credentials since they know exactly how and where the oauth tokens are located. It's significantly harder for e.g. a webpack developer to insert a backdoor to steal Google credentials since they would have to first determine the code it's processing is handling oauth tokens and then figure out where they are stored.

The barrier to entry is the key in assessing your threat model. 3 letter agencies may not care about the cost if the target is valuable but a bored kid on the other side of the world will give up pretty quickly.

0 comments

cmeacham983y ago

> The difference is that it's trivial for this developer to insert a backdoor to steal Google credentials since they know exactly how and where the oauth tokens are located

So does all the malware: your browser's cookie store

trinovantesOP3y ago

Not every application runs in the browser i.e. not SPA and any injected frontend js would have to bypass browser's sandboxing to steal another domain's cookies i.e. a zero day which is beyond your threat model

cmeacham983y ago

> Not every application runs in the browser

We're talking about YouTube in this thread.

> any injected frontend js would have to bypass browser's sandboxing to steal another domain's cookies i.e. a zero day which is beyond your threat model

Where did this random unrelated attack vector come from? We're going talking about running untrusted software on your computer, remember? That's the attack vector we're discussing.

Your point was "malware in random unrelated software won't know where to look for my YouTube session key", my response was "it will".

1 more reply

j / k navigate · click thread line to collapse

0 pointstrinovantes3y ago0 comments

Technically nothing can be trusted e.g. can anyone trust their silicon, wires, device drivers, compilers, OS, routers, SSL CAs, etc.? Trust has to happen at some point.

0 comments

cmeacham983y ago

> The difference is that it's trivial for this developer to insert a backdoor to steal Google credentials since they know exactly how and where the oauth tokens are located

So does all the malware: your browser's cookie store

trinovantesOP3y ago

cmeacham983y ago

> Not every application runs in the browser

We're talking about YouTube in this thread.

> any injected frontend js would have to bypass browser's sandboxing to steal another domain's cookies i.e. a zero day which is beyond your threat model

Where did this random unrelated attack vector come from? We're going talking about running untrusted software on your computer, remember? That's the attack vector we're discussing.

Your point was "malware in random unrelated software won't know where to look for my YouTube session key", my response was "it will".

1 more reply

j / k navigate · click thread line to collapse